Suspected Security Breach?

RDP Replay Code Release

In one of our previous blog posts, we wrote about how during routine monitoring on a client network, Context analysts noticed some unexpected RDP traffic and on further investigation it was found to be an intrusion.

By Steve Elliott

We took a more in depth look to see what information could be extracted from a PCAP of this activity, and this led to a tool being created to replay the RDP session as the attacker would have seen it. Read the original blog post in full here.

We have made this tool available after being asked by a number of our blog readers. This tool requires the private key for decrypting, which can usually be recovered with cooperation from the client.

It is a Linux tool, and was developed for Ubuntu 14.04. The instructions below are for installing on this operating system.

This is released under Apache License version 2.0. By downloading this tool you are agreeing to the following license agreement. No support is available for helping with installation and/or trouble shooting.